Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Mask Your Checksums (The Gorry Details)





Eric (@XlogicX) Davisson
tcpunmask (GitHub)
impress.js framework by Bartek Szopka (GitHub)



Slide Notes
Slide Notes
This is not groundbreaking! When submitting packet data to newsgroups and mailing lists, it is common wisdom to mask sensitive bits.

IP addresses and the like are candidates for sanitizing.

Sanitizing checksums is also recommended practice.

This talk attempts to...






Slide Notes
But First a Digression: Barcodes

-Barcodes have checksums too

-They are a simpler example to deal with

-They are very anagolous to what we are going to do with IP and TCP checksums






Slide Notes
022600926207
-Calculate a UPC checksum:

-Add all of the odd numbers

-Multiply that sum by 3

-Add that sum to the sum of the even numbers (with exception to the last digit)

-The tricky part: The number it would take to add to this sum to make a number divisible by 10, this is the checksum


Slide Notes
Example (022600926207)
-Sum of Odd Numbers * 3: (0 + 2 + 0 + 9 + 6 + 0) * 3 = 51

-Sum of Even Numbers (plus previous calculation): 51 + 2 + 6 + 0 + 2 + 2 = 63

-The next divisble by 10 number is 70, it would take "7" to add to 63 to get there

-CheckSum is 7




Slide Notes
What if We Lost a Digit?:
0226009?6207 - We don't know the 8th digit

However, we still do have the checksum

We will treat this like any hash based brute force

(Guess all possible values and see if hashes match)






Slide Notes
Digit Guessing Attack
GuessChecksum
0226009062079
0226009162078
0226009262077
0226009362076
0226009462075
0226009562074
0226009662073
0226009762072
0226009862071
0226009962070
Slide Notes
But Wait, There's More!: The checksum isn't the only thing that leaks data

In General:
Barcode Format: T LLLLL RRRRR C
T - Type of Product
L - Left Digits
R - Right Digits
C - CheckSum






Slide Notes
Product Types Pharma = 3
Normal Products 0, 1, 6, 7, & 8, where LLLLL is Manufacturer and RRRRR is specific Product
Coupons are 5 and 9
Local to store is 2 and 4
4 - Normal store knock-off brands, loyalty cards, and some coupons

2 - items sold by variable weight
Variable-weight items, such as meats and fresh fruits and vegetables, are assigned a UPC by the store,
if they are packaged there. In this case, the LLLLL is the item number,
and the RRRRR is either the weight or the price, with the first R determining which.



Slide Notes
Simple Example Breakdown:
-Our original barcode example was: 022600926207
-So 0 means it's a normal product
-22600 means that the manufacturer is "Trojan"
-92620 means that the product is "Ultra Thin Lubricated"

Slide Notes
More Complex Example:
Store Brand Bananna

2 12345 2 1234 9

-2: This is a store brand produce item

-12345: This is the type of product (we will call it a banana)

-2: We will assume this means weight

-1234: This is the weight of our banana

-9: Checksum
Slide Notes
Things that leak data: -first digit, we know has to be 2 or 4, and more likely 4

-digits 2-5 may be similar to items around it

-if 6th digit defines weight, you can guess digits 7-11 more reliably if you have the weight of the product

-and the 12th digit can give you any 1 digit that you do not know





Slide Notes
UPC to TCP/IP metaphore (Trojan): IP has a 2 byte checksum, so does TCP

Both IP and TCP refer to Source and Destination IP addresses for their calculations

If you have only IP checksum, you can guess any 2 arbitrary bytes

If you have both checksums, you can guess any 4 arbitrary bytes of IP (unless it's the IP addresses), and another 2 bytes of TCP



Slide Notes
The TCP/IP bannana: What else can we use to narrow bad guesses down:

-IP protocol != 4 or 6

-Header length less than 20

-Invalid TTL's based on OS

-GeoIP data, Bogons, etc... oh my





Slide Notes
Slide Notes
ASCII Hexified with masked out nibbles as ?'s

45000030ec774000720666e7d9e00cb0 ????4e86069e00993181267300000000 7002fd20717e0000020405a001010402







Slide Notes
Results:

IP: 128.82.78.134

dig -x: h078134.s078.odu.edu

ASN: ASN-ODU-AS-AS - Old Dominion University







Slide Notes
Slide Notes
What happens when we get hundreds+ of results after brute forcing?

We can do "bogon" filtering, this only chips away about 20% [citation needed] of the results

We can also have the script output GeoIP data for each IP, this is VERY powerful

In this next example, I do bogon filtering and run through GeoIP (using maxmind database)
Slide Notes
Slide Notes
Questions